Amendments to the Claims : 



10007.000110 



This listing of claims will replace all prior versions, and 
listings, of claims in the application: 

Listing of Claims : 

Claim 1 (currently amended) : A method of detecting states 
that are activated by a computer unit, in order to detect 
an unauthorized behavior or an unauthorized software 
program, the method comprising: 

transmitting a structured signal file to a monitor 
station, wherein the structured signal file includes an 
initial recording of registry information from an internal 
registry in the computer unit, initial internal directory 
information and initial file information that are required 
during boot-up of an operating system in the computer unit, 
and initial internal directory information and initial file 
information that are required when the operating system 
initiates a third-party software program; 

checking a set of values in a memory area of the 
computer unit or in a proprietary file stored within the 
computer unit, with each set of values corresponds^ to a 
state activated by the computer unit, wherein the checking 
includes calculating a maximum base count for entries in a 
defined registry segment in the internal registry in the 
computer unit in order to determine if any registry data in 
the defined registry segment has been modified ; 

if registry data in the defined registry segment has 
been modified, then transmitting to the monitor station a 
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first signal probe alert which indicates the defined 
registry segment which has been modified, and comparing the 
defined registry segment with the initial recording of the 
registry information; 

monitoring all directory information and file 
information required during boot-up of the operating system 
in the computer unit; 

if a new directory in the directory information is 
detected with a new software program, then transmitting to 
the monitor station a second signal probe alert which 
indicates the new directory, and comparing the new 
directory with the initial internal directory information 
and initial file information that are required during boot- 
up of the operating system; 

monitoring all directories and files that are required 
to initiate third party software programs; and 

if a third party software program initiates and 
modifies any of the directories or files that are required 
to initiate third party software programs, then 
transmitting to the monitor station a third signal probe 
alert which indicates the modified directory or modified 
file, and comparing the modified directory or modified file 
with initial internal directory information and initial 
file information that are required when the operating 
system initiates a third-party software program 
and 

capturing each oct of vqIuco to determine each state 

activated by the computer unit . 
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Claim 2 (Original) : The method of claim 2 wherein the 
checking the set of values comprises: 

initiating a parallel registry segment thread. 

Claim 3 (Original) : The method of claim 2 wherein the 
initiating the parallel registry segment thread comprises: 
collecting registry data. 

Claim 4 (currently amended) : The method of claim 1 wherein 
the chocking the oct of vqIuco monitoring all directory 
information and file information required during boot-up of 
the operating system in the computer unit comprises: 

initiating a parallel operating system segment thread. 

Claim 5 (Original) : The method of claim 4 wherein the 
initiating the parallel operating system segment thread 
comprises : 

analyzing at least one of an operating system 
directory structure, "root" and all directories and sub- 
directories . 

Claim 6 (currently amended) : The method of claim 1 wherein 
the chocking the oct of vqIuco monitoring all directories 
and files that are required to initiate third party 
software programs comprises: 

initiating a parallel third party segment thread. 

Claim 7 (Original) : The method of 6 wherein the initiating 
the parallel third party segment thread comprises: 
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scanning all third party start up files and all 
initialization files • 

Claim 8 (Original) : The method of claim 1 wherein the 
checking the set of values comprises: 
initiating a polling thread. 

Claim 9 (Original) : The method of claim 8 wherein the 
initiating the polling thread comprises: 

loading configuration data into memory. 

Claim 10 (Original) : The method of claim 8 wherein the 
initiating the polling thread comprises: 

loading stored directory configuration data to memory. 

Claim 11 (Original) : The method of claim 8 wherein the 
initiating the polling thread comprises: 

loading a third party start up information into 
memory. 

Claim 12 (Original) : The method of claim 8 wherein the 
initiating the polling comprises: 

detecting for an unauthorized modification. 

Claim 13 (cancelled) : 

Claim 14 (currently amended) : An article of manufacture, 
comprising: 

a machine-readable medium having stored thereon 
instructions to: 
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transmit a structured signal file to a monitor 
station, wherein the structured signal file includes an 
initial recording of registry information from an internal 
registry in the computer unit, initial internal directory 
information and initial file information that are required 
during boot-up of an operating system in the computer unit, 
and initial internal directory information and initial file 
information that are required when the operating system 
initiates a third-party software program; 

check a set of values in a memory area of the computer 
unit or in a proprietary file stored within the computer 
unit, with each set of values correspond to a state 
activated by the computer unit, wherein the checking 
includes calculating a maximum base count for entries in a 
defined registry segment in the internal registry in the 
computer unit in order to determine if any registry data in 
the defined registry segment has been modified ; 

if registry data in the defined registry segment has 
been modified, then transmit to the monitor station a first 
signal probe alert which indicates the defined registry 
segment which has been modified, and compare the defined 
registry segment with the initial recording of the registry 
information; 

monitor all directory information and file information 
required during boot-up of the operating system in the 
computer unit; 

if a new directory in the directory information is 
detected with a new software program, then transmit to the 
monitor station a second signal probe alert which indicates 
the new directory, and compare the new directory with the 
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initial internal directory information and initial file 
information that are required during boot-up of the 
operating system; 

monitor all directories and files that are required to 
initiate third party software programs; and 

if a third party software program initiates and 
modifies any of the directories or files that are required 
to initiate third party software programs^ then transmit to 
the monitor station a third signal probe alert which 
indicates the modified directory or modified file^ and 
compare the modified directory or modified file with 
initial internal directory information and initial file 
information that are required when the operating system 
initiates a third-party software program 
and 

capture CQch oct of values to determine each otatc 

activated by the computer unit > 

Claim 15 (currently amended) : An apparatus for detecting 
states that are activated by a computer unit, in order to 
detect an unauthorized behavior or an unauthorized software 
program, the apparatus comprising: 

means for transmitting a structured signal file to a 
monitor station, wherein the structured signal file 
includes an initial recording of registry information from 
an internal registry in the computer unit, initial internal 
directory information and initial file information that are 
required during boot-up of an operating system in the 
computer unit, and initial internal directory information 
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and initial file information that are required when the 
operating system initiates a third-party software program; 

means for checking a set of values in a memory area of 
the computer unit or in a proprietary file stored within 
the computer unit, with each set of values correspond to a 
state activated by the computer unit, wherein the checking 
includes calculating a maximum base count for entries in a 
defined registry segment in the internal registry in the 
computer unit in order to determine if any registry data in 
the defined registry segment has been modified ; 

means for transmitting to the monitor station a first 
signal probe alert which indicates the defined registry 
segment which has been modified, and for comparing the 
defined registry segment with the initial recording of the 
registry information, if registry data in the defined 
registry segment has been modified; 

means for monitoring all directory information and 
file information required during boot-up of the operating 
system in the computer unit; 

means for transmitting to the monitor station a second 
signal probe alert which indicates the new directory, and 
for comparing the new directory with the initial internal 
directory information and initial file information that are 
required during boot-up of the operating system, if a new 
directory in the directory information is detected with a 
new software program; 

means for monitoring all directories and files that 
are required to initiate third party software programs; and 

means for transmitting to the monitor station a third 
signal probe alert which indicates the modified directory 



In re Robert F. Terry 
US App. No. 09/827,451 



8 



10007.000110 

or modified file^ and for comparing the modified directory 
or modified file with initial internal directory 
information and initial file information that are required 
when the operating system initiates a third-party software 
program, if a third party software program initiates and 
modifies any of the directories or files that are required 
to initiate third party software programs 

eftd 

communicatively coupled to the checking means, — means 

for capturing each set of values to determine each state 
activated by the computer unit . 

Claim 16-39 (previously canceled) 

Claim 40 (new) : The method of claim 1, further comprising: 
restoring the modified registry segment to an original 
state . 

Claim 41 (new) : The method of claim 1, further comprising: 

removing the new directory in the directory 
information . 

Claim 42 (new) : The method of claim 1, further comprising: 
restoring the modified directory or modified file that 
are required to initiate third party software programs to 
an original state. 

Claim 43 (new) : The article of claim 14, further 
comprising: 
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a machine-readable medium having stored thereon 
instructions to: 

restore the modified registry segment to an original 
state . 

Claim 44 (new) : The article of claim 14, further 
comprising: 

a machine-readable medium having stored thereon 
instructions to: 

remove the new directory in the directory information. 

Claim 45 (new) : The article of claim 14, further 
comprising: 

a machine-readable medium having stored thereon 
instructions to: 

restore the modified directory or modified file that 
are required to initiate third party software programs to 
an original state. 

Claim 46 (new) : The apparatus of claim 15, further 
comprising : 

means for restoring the modified registry segment to 
an original state. 

Claim 47 (new) : The apparatus of claim 15, further 
comprising : 

means for removing the new directory in the directory 
information . 
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Claim 48 (new) : The apparatus of claim 15, further 
comprising: 

means for restoring the modified directory or modified 
file that are required to initiate third party software 
programs to an original state. 
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